Attack Graphs for Proactive Digital Forensics

I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support. The Research Alliance in Math and Science program is sponsored by the Office of Advanced Scientific Computing Research, U.S. Department of Energy. The work was performed at the Oak Ridge National Laboratory, which is managed by UT-Battelle, LLC under Contract No. De-AC05-00OR22725. This work has been authored by a contractor of the U.S. Government, accordingly, the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or allow others to do so, for U.S. Government purposes. Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Research Alliance in Math and Science Computational Sciences and Engineering Division Mentor: Louis P. Wilder http://wiki.ornl.gov/sites/rams09/t_mcqueen/Pages/default.aspx Cyber Security • Maintaining confidentiality, availability and access of information • Identifying legitimate • Users • Requests • Tasks • Preserving information integrity • Mending network vulnerabilities Cyber Protection • Growing need as fraudulent activity increases • Affecting industries dependent on • Networks • Computer Systems • Internet Hacking • Gaining unauthorized • Access • Control • Data • Using technical knowledge and exposed information • Cleaning tracks • Preventing is difficult and expensive USB Exploits • Take milliseconds to initiate (in and out) • Collect confidential documents • Send worm through network • Execute applications automatically • Easy to develop, retrieve and unleash • Occur unknowingly Proactive Digital Forensics • Anticipating hacker/exploit path • Detecting hacker/exploit in progress • Collecting proper data immediately for judicial efforts • Enhancing security Attack Graphs • Communicate information about threats • Display combinations of vulnerabilities • Show vulnerabilities as vertices • Express hierarchical constraints via edges USB Exploit Attack Graph Theoretical Proactive Design • All computers/nodes on network use Splunk • Splunk’s additional behavior configurations stem from attack graphs • Attack graphs designed for all known exploits • Plug-in device triggered • Real-time alerts sent after trigger • Instant in depth recording of “suspicious” activity Splunk • Analyzes/monitors IT infrastructure • Records and indexes data • Logs • Configurations • Scripts • Alerts • Messages • Operates in real-time • Search, navigate, graph and report data Splunk with Attack Graphs • Targets specific attacks paths • Allows unlimited attack types • Provides systematic and proactive approach Event logs and Registry • Standard on Windows • Monitors events • Application • Security • System • Identifies operations and information • Essential for Attack Graph Purpose • Increase cyber security and protection • Identify possible cyber attacks as they occur • Examine Universal Serial Bus (USB) exploits • Create attack graph of USB exploit • Explore event logs and registry data • Investigate theoretical proactive design Future work • Create plug-in • Implement design on test network • Run trial exploit • Research and prepare other exploits/attacks Fig. 1 USB exploit attack graph Fig. 2 Windows XP Event Viewer Fig. 4 Proactive Digital Forensic Design Fig. 3 Splunk

Upload
desirae-molina
Category

Documents
view
15
download
0

Embed Size (px):

description

Attack Graphs for Proactive Digital Forensics. Tara L. McQueen Delaware State University Research Alliance in Math and Science Computational Sciences and Engineering Division Mentor: Louis P. Wilder http://wiki.ornl.gov/sites/rams09/t_mcqueen/Pages/default.aspx. Purpose - PowerPoint PPT Presentation

Transcript of Attack Graphs for Proactive Digital Forensics

Page 1: Attack Graphs for Proactive Digital Forensics

I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support.

The Research Alliance in Math and Science program is sponsored by the Office of Advanced Scientific Computing Research, U.S. Department of Energy. The work was performed at the Oak Ridge National Laboratory, which is managed by UT-Battelle, LLC under Contract No. De-AC05-00OR22725. This work has been authored by a contractor of the U.S. Government, accordingly, the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or allow others to do so, for U.S. Government purposes.

Attack Graphs for Proactive Digital ForensicsTara L. McQueen

Delaware State UniversityResearch Alliance in Math and Science

Computational Sciences and Engineering DivisionMentor: Louis P. Wilder

http://wiki.ornl.gov/sites/rams09/t_mcqueen/Pages/default.aspx

Cyber Security• Maintaining confidentiality, availability and access of information• Identifying legitimate

• Users• Requests• Tasks

• Preserving information integrity• Mending network vulnerabilities

Cyber Protection• Growing need as fraudulent activity increases• Affecting industries dependent on

• Networks• Computer Systems• Internet

Hacking• Gaining unauthorized

• Access• Control• Data

• Using technical knowledge and exposed information• Cleaning tracks • Preventing is difficult and expensive

USB Exploits• Take milliseconds to initiate (in and out)• Collect confidential documents• Send worm through network• Execute applications automatically• Easy to develop, retrieve and unleash• Occur unknowingly

Proactive Digital Forensics• Anticipating hacker/exploit path• Detecting hacker/exploit in progress • Collecting proper data immediately for judicial efforts• Enhancing security

Attack Graphs• Communicate information about threats• Display combinations of vulnerabilities • Show vulnerabilities as vertices• Express hierarchical constraints via edges

USB Exploit Attack Graph

Theoretical Proactive Design• All computers/nodes on network use Splunk• Splunk’s additional behavior configurations stem from attack graphs• Attack graphs designed for all known exploits• Plug-in device triggered• Real-time alerts sent after trigger• Instant in depth recording of “suspicious” activity

Splunk• Analyzes/monitors IT infrastructure • Records and indexes data

• Logs• Configurations• Scripts• Alerts• Messages

• Operates in real-time• Search, navigate, graph and report data

Splunk with Attack Graphs• Targets specific attacks paths• Allows unlimited attack types• Provides systematic and proactive approach

Event logs and Registry• Standard on Windows• Monitors events

• Application• Security• System

• Identifies operations and information• Essential for Attack Graph

Purpose• Increase cyber security and protection• Identify possible cyber attacks as they occur• Examine Universal Serial Bus (USB) exploits• Create attack graph of USB exploit• Explore event logs and registry data• Investigate theoretical proactive design

Future work• Create plug-in• Implement design on test network• Run trial exploit• Research and prepare other exploits/attacks

Fig. 1 USB exploit attack graph

Fig. 2 Windows XP Event Viewer

Fig. 4 Proactive Digital Forensic Design

Fig. 3 Splunk

High Performance Proactive Digital Forensics · High Performance Proactive Digital Forensics Soltan Alharbi 1 , Belaid Moa 2 , Jens Weber-Jahnke 3 and Issa Traore 1 1 ECE Department,

ON THE NETWORK PERFORMANCE OF DIGITAL EVIDENCE ACQUISITION …916808/FULLTEXT01.pdf · Keywords: Digital Forensics, Digital Evidence, Remote acquisition, Proactive forensics, Mobile

History of Forensics CHS. Define Forensics Forensics is the application of science to law.

$DISCOVERY & e · *VTW\[LY^VYSK/VUN2VUN Nyri 454 ^^^2g2gs2lo e-DISCOVERY & DIGITAL FORENSICS Cost-e ective and Proactive Information Management for Emerging Legal and Technical Challenges$